colorful pins connectedOrganizations today are taking great strides when it comes to innovation, but unfortunately security and governance continue to lag behind. One recent study revealed that, although the DevOps ratio is now 10:1, the DevSec ratio is still 100:1. We need to understand what’s causing this gap and what actions we can take to bridge it.

Earlier this year, Sonatype put together an article looking at what enterprises can do to bridge the gap between software developers, IT operations, and security. We’ve summarized their thoughts here, but we encourage you to read the full article if you would like to learn more.

Understanding the Gaps in Dev(Sec)Ops

It’s important to reinforce that day-to-day security measures like checking for third-party vulnerabilities and responding to incidents aren’t the cause for concern. Instead, where voids tend to appear is with things such as hacker mindsets (proactively searching for new possible attack vectors) and in performing tasks like in-depth risk analyses and threat models, all of which play key roles in enabling enterprises to create robust, holistic security architectures.

Two Models for Addressing the Problem

1. Fully Shared Responsibilities

This framework calls for each development team to integrate at least one T-shaped individual (someone capable of many things and an expert in one) who specializes in security. This person needs to be able to translate security threats into actionable items that their team can implement and communicate concerns in ways business owners and leaders will understand.

Keep in mind that the security-focused person shouldn’t be allocated all of the security work otherwise the silo will simply be transformed from a macro one (where there’s a distinct security team) to a micro one (where there is an isolated team member). Over time, the job of doing security analyses should be spread throughout the team so that the T-shaped person can stay on top of best practices, find new tools and methods, facilitate workshops, and ultimately lead security strategy.

Pros

Cons

  • Reduce incidents more quickly and prevent them down the road by increasing the ownership security has in the development of new products, services, and solutions.
  • Increase the Dev-to-Ops-to-Sec ratio. Not only will this embed security within your development processes, but it will also allow more people to bring their diverse experiences to the decision-making table.
  • Signal to your employees and end users alike that security is a top priority for your organization.
  • The cost associated with finding and recruiting the right people can be high, and the transition itself can take time.
  • High-performing, autonomous teams tend to thrive on stability and will be extra sensitive to personnel changes.
  • Teams may feel the lack of centralized contact for security, which is why channels of communication always need to be open between team members and security-focused persons within the enterprise.


The Final Wordsecurity button

A fully shared responsibilities model is often ideal for companies with cross-functional, autonomous teams that each work on products or services with very different risk profiles. Spotify is one of the largest and highest-profile companies to have adopted this approach.

2. Security as an Enabling Team

In this model, a central security team supports multiple product development teams, getting involved from day one of a project to make sure they can provide security-specific feedback at each stage of the process. An important caveat here is that the security team shouldn’t actually perform analyses or implementations. They should simply promote best practices and provide guidance on which other teams can act.

Switching to the security-as-an-enabling team model can sometimes be an easier transition for enterprises because it doesn’t require the same degree of structural change that a fully shared responsibilities model does. Ultimately, the biggest challenge with this approach tends to be making the shift without confusion or regression.

Pros

Cons

  • The timeframe to enablement is shorter.
  • Enterprises don’t need to hire too many new team members, avoiding hassles associated with recruitment and team disruption.
  • Effective communication is critical to the success of this approach.
  • For product development teams already working at maximum capacity, introducing new responsibilities can be challenging.
  • This shift might not resonate as much with employees and customers, and it is easier to backslide into a model where the security team is solely responsible for analyzing, implementing, and guiding.


The Final Word

This approach works well for companies that have a smaller number of teams to begin with, especially if those teams (or members of them) have a pre-existing interest in security. Enterprises that have taken this approach include Sportradar.

Evolve Teams to Suit Changing Security Needs

Remember that team design shouldn’t be static. The best fit for you today might get in the way of better, faster developments tomorrow, which is why you need to be prepared to adapt as your organization grows.


iTMethods helps companies accelerate software delivery capabilities through their Cloud-native DevOps SaaS Platform. The Enterprise SaaS offering features a toolchain catalog comprised of best-of-breed DevOps tools including CloudBees Jenkins, Github, Atlassian, Sonatype, and many more. These tools are deployed to each customer’s specific requirements, including security, scalability, and 24/7 customer support. Learn more at itmethods.com.

Read more from iTMethods:

Managed DevOps Platform

Securely hosted in the cloud, our DevOps platform is offered as single-tenant SaaS or managed customer VPC. Empowering teams with cutting-edge tools, it streamlines collaboration and accelerates development cycles for efficient high quality software delivery.

Modernize your DevOps Tools

Increase productivity, reduce costs and stay current with the latest tool/features across your evolving DevOps tech stack.

Hosted/Managed by Experts

Free your resources and execute with enterprise trusted solutions for your DevOps tools & tools management.

~

Single-Tenant SaaS or Managed Customer VPC

Not all cloud deployments models are created equal, retain full control and align your enterprise business requirements.

Highly Secure & Compliant

Cloud with enterprise controls, security and assurance your deployments are protected and integrate seamlessly.

Customer Obsessed

Partner with the global DevOps leader focused on delivering innovative solutions that delight our customers everyday!

Learn more or talk to an expert today!

Learn More

DevOps SaaS Platform

Our SaaS-based DevOps platform, hosted securely on the cloud, empowers your teams, equips them with cutting-edge tools, and addresses your highjest business priorities, ensuring you retain your competitive edge and lead the market.

Modernize your DevOps Tools

Increase productivity, reduce costs and stay current with the latest features across your evolving DevOps tech stack.

Hosted/Managed by Experts

Free your resources and execute with enterprise trusted solutions for your DevOps tools & tools management.

~

Single-Tenant SaaS or Managed Customer VPC

Not all cloud deployments models are created equal, retain full control and align your enterprise business requirements.

Highly Secure & Compliant

Cloud with enterprise controls, security and assurance your deployments are protected and integrate seamlessly.

Customer Obsessed

Partner with the global DevOps leader focused on delivering innovative solutions that delight our customers everyday!

Learn more or talk to an expert today!

Learn More

AI/ML Services and Managed Platforms

Partnering with top AI/ML ISVs and infrastructure providers, we offer comprehensive services and managed platforms to address your intricate AI solution requirements.

OFFERINGS:

Professional Services

Maximizing organizations’ data science and AI capabilities with specialized services and support.

Managed Services

Expert managed offerings for your ISV tools, models and leading cloud infrastructure (AWS, Azure, Nvidia).

iTMethods’ AI WorkBench

Production-ready managed platform for seamless deployment of top-tier AI/ML tools, models & infrastructure. View on AWS Marketplace

FEATURED PARTNERS:

Helping customers realize Python’s full potential for artificial intelligence (AI), machine learning (ML), & data science. >>Learn More

Zetaris AI’s data analytics platform enables businesses to access & analyze data from various sources in real-time without duplication. >>Learn More

JFrog Platform Managed Hosting
Delivering a simplified, secure, & governed AI/ML pipelines as part of our end-to-end Software Supply Chain Platform. >>Learn More

AI/ML Services & Managed Platforms

Partnering with top AI/ML ISVs and infrastructure providers, we offer comprehensive services and managed platforms to address your intricate AI solution requirements.

OFFERINGS:

Professional Services

Maximizing organizations’ data science and AI capabilities with specialized services and support.

Managed Services

Expert managed offerings for your ISV tools, models and leading cloud infrastructure (AWS, Azure, Nvidia).

iTMethods’ AI WorkBench

Production-ready managed platform for seamless deployment of top-tier AI/ML tools, models & infrastructure. View on AWS Marketplace

FEATURED PARTNERS:

Helping customers realize Python’s full potential for artificial intelligence (AI), machine learning (ML), & data science. >>Learn More

Zetaris AI’s data analytics platform enables businesses to access & analyze data from various sources in real-time without duplication. >>Learn More

JFrog Platform Managed Hosting
Delivering a simplified, secure, & governed AI/ML pipelines as part of our end-to-end Software Supply Chain Platform. >>Learn More

DevOps & Cloud Solutions

Optimize your teams with expert solutions for software development, deployment automation, security and Cloud infrastructure management.

SERVICES OVERVIEW

CI/CD Pipeline Development

Optimize your software development and deployments

JFrog Professional Services

Enhance your DevOps and AI/ML software supply chain security.

Infrastructure as Code (IaC)

Rapidly implement and maintain your IaC technologies

Cloud Infrastructure

Unlock the full potential of AWS, Azure, and Containers / Kubernetes

GitOps & Monitoring

Git-based practices with advanced monitoring solutions

How We Help

Flexible Consulting and Support Services:

  • Assessments
  • Strategy & Design
  • Implementation
  • Comprehensive Support

Learn More

DevOps & Cloud Solutions

Optimize your teams with expert solutions for software development, deployment automation, security and Cloud infrastructure management.

SERVICES OVERVIEW

CI/CD Pipeline Development

Optimize your software development and deployments

Infrastructure as Code (IaC)

Rapidly implement and maintain your IaC technologies

Cloud Infrastructure

Unlock the full potential of AWS, Azure, and Containers / Kubernetes

GitOps & Monitoring

Git-based practices with advanced monitoring solutions

Jira-based IT Service Management (ITSM)

Prescriptive solutions pre-built with Jira Service Management (JSM)

How We Help

Flexible Consulting and Subscription Services:

  • Assessments
  • Strategy & Design
  • Implementation
  • Managed Services

Learn More

iTMethods 360: for Atlassian

Our Atlassian solution pillars each designed to deliver the highest level of consistent value and customer experience to all the organizations we serve.

ATLASSIAN SOLUTIONS

Atlassian Cloud Migration

Addressing complex migration options to the Cloud.

Atlassian Consulting

Helping teams benefit from the full potential of Atlassian tools.

Atlassian Managed Services

Expert administration, support and functional services subscription.

Atlassian Data Center Hosting

Single-Tenant SaaS or Managed Customer VPC instances in the cloud.

Atlassian Licensing Solutions

Expert guidance and support for all your Atlassian licensing needs.

FEATURING:

Atlassian Managed Services

Accelerate success with your Atlassian tools today! Choose from our flexible service plans.

SERVER END-OF-LIFE
Migrate to Atlassian Cloud or our Single-Tenant SaaS / Managed Customer VPC options.

iTMethods 360: for Atlassian

End-to-end Atlassian coverage helping customers allocate internal resources to their highest business priorities.

ATLASSIAN SOLUTIONS

Atlassian Cloud Migration

Addressing complex migration options to the Cloud.

Atlassian Consulting

Providing your teams full potential of your Atlassian tools.

Atlassian Managed Services

Expert administration, support and functional services subscription.

Atlassian Data Center Hosting

Single-Tenant SaaS or Managed Customer VPC instances in the cloud.

Atlassian Licensing Solutions

Expert guidance and support for all your Atlassian licensing needs 

FEATURING:

Atlassian Managed Services

Accelerate success with your Atlassian tools today! Choose from our flexible service plans.

SERVER END-OF-LIFE
Migrate to Atlassian Cloud or our Single-Tenant SaaS / Managed Customer VPC options.

Resources

iTMethods resources, best practices, industry trends and news for Enterprise DevOps and Cloud Transformation.

Blog

Stay up to date with the latest in Enterprise DevOps Tools & Tool Management.

Webinars & Videos

Watch industry leaders discuss how to get the most out of your DevOps investment.

eBooks & Whitepapers

Industry leading research and insight available to download.

Reports & Guides

Expert industry analysis and guidance at your finger tips.

Case Studies

Explore our library of case studies.

Partner with the global leader in DevOps Tools and Tools Management

Fast track your Digital Transformation priorities with our ready to run solutions.

Looking for a customer obsessed partner? Let’s Talk!

Resources

iTMethods resources, best practices, industry trends and news for Enterprise DevOps and Cloud Transformation.

Blog

Stay up to date with the latest in Enterprise DevOps Tools & Tool Management.

Webinars & Videos

Watch industry leaders discuss how to get the most out of your DevOps investment.

eBooks & Whitepapers

Industry leading research and insight available to download.

Reports & Guides

Expert industry analysis and guidance at your finger tips.

Case Studies

Explore our library of case studies.

Partner with the global leader in DevOps and AI/ML Tools and Tools Management

Fast track your Software Development  priorities with our ready to run solutions.

Looking for a customer obsessed partner? Let’s Talk!